Security Incidents mailing list archives
Intrusion=
From: "Harlan S. Barney, Jr." <hsbarney () NYCAP RR COM>
Date: Wed, 24 Jan 2001 14:36:16 -0500
I have detected an intrusion into my computer from within your
system.
This message is not from an auto-responder program. I report
ALL intrusions and expect maximum penalties.
I am using the BlackICE program.
Record(s) from Attack-list.csv follow, date and time are GMT:
Other information:
I would appreciate knowing if the miscreant is identified and what
punishment was delivered. I do not appreciate these intrusions and the
effect they could potentially have on my computer system as well as my
time I have to spend defending my computer system.
I am willing to press charges.
Harlan S. Barney, Jr.
Scotia, NY
Description of Attack-list.csv file follows:
This file is in "CSV" (Comma Separated Value) format, and
can be imported into spreadsheets and database programs
for further processing.
The columns are, from left to right:
Severity This is a number from 1-99 that indicates the severity
of an attack, where 1 is not very severe, and 99 is
the
most severe attack. Unfortunately, these levels do not
have any precise meaning. Even an attack at level 1
may result in a compromise of the machine, whereas an
attack at level 99 could be harmless. The assigned
level is just a best-guess.
Timestamp This indicates the time and date of the last time the
attack occurred. Attacks are "coalesced", meaning that
if the same attack occurs multiple times, earlier
attacks are sometimes removed from the list and simply
merged with the latest one. A count of the number of
times an attack has occurred is kept in another
column.
This timestamp is kept in GMT (aka UTC), and is
several hours off from the time you see in the user
interface. The ISP will want to the time in this
format so they don't have to worry about what timezone
you are in.
NOTE: the computer clock is updated daily from NIST.
"issueId" A numeric identifier for this attack type. Each of the
more than 250 attacks that BlackICE Defender detects
is assigned a unique number. This number is used for
all internal processing of events. This number may
also be pasted at the end of the URL
http://advice.networkice.com/advice/intrusions/
in order to get help on the event.
"issueName" The name of the attack. Each of the unique "issueId"
numbers has a name associated with it.
Intruder's IP address
The IP address of the attacker. Remember that IP
addresses can sometimes be "spoofed" (forged), or that
an intrusion may be a "false-positive", so there isn't
a 100% chance that this is actually a hostile person.
Intruder's name The name of the intruder. We scan both Internet
databases like DNS as well as the attacker itself in
order to find the "best-name" of the machine, then
display it here.
Victim's IP address
This is the IP address of who the intruder was
attacking. For example, if a user is running BlackICE
Defender and gets attacked on a dial-up, then this
will be the IP address assigned to that machine
during
that
dialup session.
"parameters" This contains some detailed information about the
attack. For example, in a "TCP port probe" scan, this
will contain a list of "ports" the attacker was
scanning.
The meaning of this information is documented in the
"advICE" database.
Count The number of times this attack was seen.
Response Level Its various values can be:
A: Blocked
B: Attack was unsuccessful; BlackICE didn't
have
to block it
C: Attach status unknown; BlackICE triggered
protection
measure; it's
unlikely the system was compromised
D: Attack possible; BlackICE triggered
protection measure;
attack may
have compromised system
E: Attack was successful; BlackICE could not
block attack;
system was compromised
END OF MESSAGE
Current thread:
- Intrusion= Harlan S. Barney, Jr. (Jan 24)